McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Backdoor.Dumador.r (AVP)

• PWS-Kadun

• Trojan.PWS.Kadun

• W32/Dumaru.w@MM

• Win32/Dumaru.S (Eset)

Characteristics

This detection is for malware bearing strong similarities to W32/Dumaru@MM . It is written in Borland C++, and packed with UPX.

This variant does not propagate by email or network shares. It may be delivered to the victim machine by various mechansims. Popular methods used recently include:

• dropped after visiting a specific web page (web page contains a script to drop/execute the binary)
• spammed out to users
• downloaded or dropped by another piece of malware

The variant contains its own SMTP engine (for mailing out stolen data), and carries a keylogging DLL which is intended for stealing data from the victim machine.

Keylogging - Phishing Scan

This variant looks to incorporate a phishing scam. Strings within the trojan suggest that it is intended to prompt the user for a banking credentials (surname, membership number, passcode).

The main binary carries a keylogging dll in its body which is installed onto the victim machine as SOCK64.DLL:

• %WinDir%\SOCK64.DLL (31,232 bytes)

This DLL is intended to log data (credentials supplied above, plus clipboard contents) to a file (BANK.LOG - not created in testing) on the local machine (this has not been observed in testing thus far, but analysis continues). The DLL is detected as PWS-Kadun with the specified engine/DATs combination.

The main binary contains its own SMTP engine for constructing outgoing messages. It contains a series of email addresses hard-coded within its body - presumably those of the hacker to which logged data may be sent. An outgoing connection to the following SMTP server may be observed from the victim machine:

smtp.rambler.ru

Although a lookup in the Registry is performed in order to determine the system default SMTP server.

Note: If the W32/Dumaru process is running on the victim machine, this DLL will be locked for access. To avoid a potential clean error, users are recommended to configure VirusScan 7 to scan processes running in memory.

Symptoms

Method of Infection

This variant copies itself multiple times onto the victim machine when executed:

%WinDir%\DLLREG.EXE
%SysDir%\LOAD32.EXE
%SysDir%\VXDMGR32.EXE

A copy is also dropped into the Windows startup folder as RUNDLLW.EXE, for example:

%WinDir%\Start Menu\Programs\Startup\RUNDLLW.EXE

The following Registry hook is added to hook system startup (9x and NT):

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "load32" = %SysDir%\load32.exe

On NT/2k systems the following keys is also added:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\
CurrentVersion\Run "run" = %WinDir%\DLLREG.EXE

And the following key is added:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon
"Shell" = explorer.exe C:\WINNT\System32\vxdmgr32.exe

The WIN.INI and SYSTEM.INI system files are also modified to hook system startup. The following entry is added to WIN.INI:

[windows]
"run" = %WinDir%\dllreg.exe

The following key is modified in SYSTEM.INI:

[boot]
"shell" = Explorer.exe

is modified to:

"shell" = explorer.exe %SysDir%\VXDMGR32.EXE

Removal

All Users:
Use specified engine and DAT files for detection.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

• Backdoor.Dumador.r (AVP)

• PWS-Kadun

• Trojan.PWS.Kadun

• W32/Dumaru.w@MM

• Win32/Dumaru.S (Eset)

Characteristics

Characteristics -

This detection is for malware bearing strong similarities to W32/Dumaru@MM . It is written in Borland C++, and packed with UPX.

This variant does not propagate by email or network shares. It may be delivered to the victim machine by various mechansims. Popular methods used recently include:

• dropped after visiting a specific web page (web page contains a script to drop/execute the binary)
• spammed out to users
• downloaded or dropped by another piece of malware

The variant contains its own SMTP engine (for mailing out stolen data), and carries a keylogging DLL which is intended for stealing data from the victim machine.

Keylogging - Phishing Scan

This variant looks to incorporate a phishing scam. Strings within the trojan suggest that it is intended to prompt the user for a banking credentials (surname, membership number, passcode).

The main binary carries a keylogging dll in its body which is installed onto the victim machine as SOCK64.DLL:

• %WinDir%\SOCK64.DLL (31,232 bytes)

This DLL is intended to log data (credentials supplied above, plus clipboard contents) to a file (BANK.LOG - not created in testing) on the local machine (this has not been observed in testing thus far, but analysis continues). The DLL is detected as PWS-Kadun with the specified engine/DATs combination.

The main binary contains its own SMTP engine for constructing outgoing messages. It contains a series of email addresses hard-coded within its body - presumably those of the hacker to which logged data may be sent. An outgoing connection to the following SMTP server may be observed from the victim machine:

smtp.rambler.ru

Although a lookup in the Registry is performed in order to determine the system default SMTP server.

Note: If the W32/Dumaru process is running on the victim machine, this DLL will be locked for access. To avoid a potential clean error, users are recommended to configure VirusScan 7 to scan processes running in memory.

Symptoms

Symptoms -

Method of Infection

Method of Infection -

This variant copies itself multiple times onto the victim machine when executed:

%WinDir%\DLLREG.EXE
%SysDir%\LOAD32.EXE
%SysDir%\VXDMGR32.EXE

A copy is also dropped into the Windows startup folder as RUNDLLW.EXE, for example:

%WinDir%\Start Menu\Programs\Startup\RUNDLLW.EXE

The following Registry hook is added to hook system startup (9x and NT):

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "load32" = %SysDir%\load32.exe

On NT/2k systems the following keys is also added:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\
CurrentVersion\Run "run" = %WinDir%\DLLREG.EXE

And the following key is added:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon
"Shell" = explorer.exe C:\WINNT\System32\vxdmgr32.exe

The WIN.INI and SYSTEM.INI system files are also modified to hook system startup. The following entry is added to WIN.INI:

[windows]
"run" = %WinDir%\dllreg.exe

The following key is modified in SYSTEM.INI:

[boot]
"shell" = Explorer.exe

is modified to:

"shell" = explorer.exe %SysDir%\VXDMGR32.EXE

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A